Description
Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.
Adversaries may use acquired domains for a variety of purposes, including for Phishing, Drive-by Compromise, and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via Drive-by Compromise. Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing)
Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims (including one-time, single use domain names).(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique)
Adversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering)
Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)
In addition to legitimately purchasing a domain, an adversary may register a new domain in a compromised environment. For example, in AWS environments, adversaries may leverage the Route53 domain service to register a domain and create hosted zones pointing to resources of the threat actor’s choosing.(Citation: Invictus IR DangerDev 2024)
Platforms
Mitigations (1)
Pre-compromiseM1056
Organizations may intentionally register similar domains to their own to deter adversaries from creating typosquatting domains. Other facets of this technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Threat Groups (44)
| ID | Group | Context |
|---|---|---|
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) registered domains imitating NATO, OSCE security websites, Caucasus information resources, and other or... |
| G0092 | TA505 | [TA505](https://attack.mitre.org/groups/G0092) has registered domains to impersonate services such as Dropbox to distribute malware.(Citation: Korean ... |
| G0099 | APT-C-36 | [APT-C-36](https://attack.mitre.org/groups/G0099) has acquired domains to host malicious payloads.(Citation: Kaspersky BlindEagle AUG 2024)(Citation: ... |
| G1046 | Storm-1811 | [Storm-1811](https://attack.mitre.org/groups/G1046) has created domains for use with RMM tools.(Citation: rapid7-email-bombing) |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has established domains, some of which appeared to spoof legitimate domains for use in operations.... |
| G1001 | HEXANE | [HEXANE](https://attack.mitre.org/groups/G1001) has registered and operated domains for campaigns, often using a security or web technology theme or i... |
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has registered domains for messaging purposes.(Citation: SPECOPS Outpost24 Handala Hack Stryke... |
| G1033 | Star Blizzard | [Star Blizzard](https://attack.mitre.org/groups/G1033) has registered domains using randomized words and with names resembling legitimate organization... |
| G1044 | APT42 | [APT42](https://attack.mitre.org/groups/G1044) has registered domains, several of which masqueraded as news outlets and login services, for use in ope... |
| G1052 | Contagious Interview | [Contagious Interview](https://attack.mitre.org/groups/G1052) has registered domains to leverage in their social engineering campaigns.(Citation: Reco... |
| G0006 | APT1 | [APT1](https://attack.mitre.org/groups/G0006) has registered hundreds of domains for use in operations.(Citation: Mandiant APT1) |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) has set up and operated websites to gather information and deliver malware.(Citation: Volexity Ocean Lo... |
| G0136 | IndigoZebra | [IndigoZebra](https://attack.mitre.org/groups/G0136) has established domains, some of which were designed to look like official government domains, fo... |
| G0065 | Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has established domains that impersonate legitimate entities to use for targeting efforts. (Citatio... |
| G1006 | Earth Lusca | [Earth Lusca](https://attack.mitre.org/groups/G1006) has registered domains, intended to look like legitimate target domains, that have been used in w... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has registered domains to spoof targeted organizations and trusted third parties including search eng... |
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) has registered domains to spoof legitimate corporate login portals.(Citation: Check Point Sc... |
| G0035 | Dragonfly | [Dragonfly](https://attack.mitre.org/groups/G0035) has registered domains for targeting intended victims.(Citation: CISA AA20-296A Berserk Bear Decemb... |
| G1018 | TA2541 | [TA2541](https://attack.mitre.org/groups/G1018) has registered domains often containing the keywords “kimjoy,” “h0pe,” and “grace,” using domain regis... |
| G0140 | LazyScripter | [LazyScripter](https://attack.mitre.org/groups/G0140) has used dynamic DNS providers to create legitimate-looking subdomains for C2.(Citation: Malware... |
Associated Software (3)
| ID | Name | Type | Context |
|---|---|---|---|
| S1130 | Raspberry Robin | Malware | [Raspberry Robin](https://attack.mitre.org/software/S1130) uses newly-registered domains containing only a few characters for command and controll pur... |
| S1111 | DarkGate | Malware | [DarkGate](https://attack.mitre.org/software/S1111) command and control includes hard-coded domains in the malware chosen to masquerade as legitimate ... |
| S1207 | XLoader | Malware | [XLoader](https://attack.mitre.org/software/S1207) can utilize hardcoded command and control domain configurations created by the XLoader authors. The... |
References
- Australian Cyber Security Centre. National Security Agency. (2020, April 21). Detect and Prevent Web Shell Malware. Retrieved February 9, 2024.
- Bob Sullivan. (2000, July 24). PayPal alert! Beware the 'PaypaI' scam. Retrieved March 2, 2017.
- CISA. (2019, September 27). Security Tip (ST05-016): Understanding Internationalized Domain Names. Retrieved October 20, 2020.
- CISA. (2020, September 14). Alert (AA20-258A): Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity. Retrieved October 1, 2020.
- Fehrman, B. (2017, April 13). How to Bypass Web-Proxy Filtering. Retrieved September 20, 2019.
- FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
- Invictus Incident Response. (2024, January 31). The curious case of [email protected]. Retrieved March 19, 2024.
- Krebs, B. (2018, November 13). That Domain You Forgot to Renew? Yeah, it’s Now Stealing Credit Cards. Retrieved September 20, 2019.
- Malhotra, A., McKay, K. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal . Retrieved July 29, 2022.
- Malhotra, A., Thattil, J. et al. (2022, March 29). Transparent Tribe campaign uses new bespoke malware to target Indian government officials . Retrieved September 6, 2022.
Frequently Asked Questions
What is T1583.001 (Domains)?
T1583.001 is a MITRE ATT&CK technique named 'Domains'. It belongs to the Resource Development tactic(s). Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquir...
How can T1583.001 be detected?
Detection of T1583.001 (Domains) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1583.001?
There are 1 documented mitigations for T1583.001. Key mitigations include: Pre-compromise.
Which threat groups use T1583.001?
Known threat groups using T1583.001 include: APT28, TA505, APT-C-36, Storm-1811, MuddyWater, HEXANE, VOID MANTICORE, Star Blizzard.